Skip to Content

Privacy and Confidentiality in California

All providers in California, including hospitals, nursing facilities,1 community centers,2 and ambulatory surgical centers3 are required to maintain the confidentiality of their patient medical records.  The law also requires that all medical records of individuals receiving Medicare or Medicaid remain confidential and not be released without the written consent of the recipient, unless the information is de-identified and used for statistical or summary data purposes.4   Insurers are also prohibited from disclosing a patient’s medical information to a third party, such as an employer5, without the consumer’s prior written consent.6  The state has also established the Office of Health Information Integrity to ensure that laws requiring confidentiality of medical information are enforced7 by requiring providers to have safeguards in place to protect the privacy of patient information.8

California law prohibits the disclosure of reports or records that contain a patient’s medical information by any person or entity without first obtaining a valid authorization for release of the information except in limited circumstances.9  However, a provider, health service plan, contractor or pharmaceutical company cannot require that a patient sign an authorization or consent form as a condition of receiving medical services or being given medications.10,11 The law also gives patients the right to cancel or revoke their authorization at any time.12  Authorizations are not required for the release of medical information when compelled by a court order, by a search warrant, or if otherwise required by law.13 Medical providers may also disclose information to other providers, health facilities, health care service plans for treatment and payment purposes as well as to state agencies as part of the provider’s required reporting and research without a patient’s authorization.14  The law specifically prohibits an individual or entity that receives medical information based on a patient authorization from further disclosing the medical information without a new authorization.15  In addition, California disclosure laws allow disclosure of medical information to a patient’s family member if that person is directly involved in the patient’s care or payment. 

Any violation of patient confidentiality of his or her medical information that results in economic loss or personal injury to the patient is punishable as a misdemeanor.  An entity or individual that either discloses confidential medical information or obtains or uses such information without the consent of the patient will also be subject to penalties and fines for each violation of a patient’s privacy.16  Similarly, licensed hospitals, community health clinics, nursing homes, or other health facilities must prevent unauthorized disclosure of confidential patient information, or be fined per violation.17

California’s mandatory reporting laws protect the confidentiality of medical information.  For example, local health authorities may disclose any information needed to stop the spread of a disease.18  State disease registries as well as the California Department of Health may disclose the confidential information to other states’ registries, local or federal bodies or researches that may have measures to help treat the disease.19

 

Footnotes

  • 1. 22 CA ADC §72543
  • 2. 22 CA ADC §80070
  • 3. Health & Safety Code §128737
  • 4. 22 CA ADC §51009
  • 5. Health & Safety Code §1374.8
  • 6. 10 CA ADC §2689.11
  • 7. Health & Safety Code §130200
  • 8. Health & Safety Code §130203
  • 9. CA Civil Code §56.11
  • 10. CA Civil Code §56.37
  • 11. CA Civil Code §56.102
  • 12. CA Civil Code §56.15
  • 13. CA Civil Code §56.10(a-b)
  • 14. CA Civil Code §56.10(c-e)
  • 15. CA Civil Code §56.13
  • 16. CA Civil Code §56.36 
  • 17. Health & Safety Code §1280.15
  • 18. 17 CA ADC  §2502
  • 19. Health & Safety Code §103885

 

Privacy and Confidentiality in California

Subtopic Statute/Regulation Description
Patient’s right to confidentiality of medical records/medical information Written Statement of Confidentiality to Patients for Health Service Plans – Cal. Health & Safety Code § 1364.5 All health service plans operating in the state of California must provide to the Director of the Department of Managed Care, a copy of their...
Ambulatory Surgery Data Records – Cal. Health & Safety Code § 128737 Each general acute hospital and freestanding ambulatory surgical clinic must file an Ambulatory Surgery Data Record for each patient where surgery...
Businesses Organized For The Purpose of Maintaining Medical Information-Cal. Civ. Code § 56.06 A business that maintains medical information for individuals or health care providers should be construed as a health care provider for the purposes...
Electronic Record Keeping Systems and Additional Record Requirements - Cal. Health & Safety Code § 123149 Electronic recordkeeping systems; additional requirements Providers using electronic records systems for patient records must use an offsite backup...
Emergency Care Data Records – Cal. Health & Safety Code § 128736 Each hospital must file an Emergency Care Data Record for each patient in a hospital emergency department and must include the following: Date of...
Establishment of the Office of Health Information Integrity – Cal. Health & Safety Code § 130200 An Office of Health Information Integrity is established within the California Health and Human Services to ensure enforcement of state law mandating...
Information Security Program Requirements – Cal. Code Regs. tit. 10 § 2689.14 A licensee is an insurance institution, agent, or support organization licensed by the California Department of Insurance that handles information in...
Patient Record Requirements for Community Health Centers – Cal. Code Regs. tit. 22 § 80070 A separate, current and complete record must be maintained for each patient/client admitted into a community health center.  The patient’s...
Patient Records: Confidentiality and Disclosure – Cal. Health & Safety Code § 11845.5. All substance abuse treatment records are confidential and privileged to the patient and may only be disclosed according to the statute, irrespective...
Patients Health Records Requirements for Nursing Facilities – Cal. Code Regs. tit. 22 § 72543 Records must be kept on each patient admitted into the nursing facility.  The records must be kept for 7 years after the patient is discharged...
Release of Health Information to Employers – Cal. Health & Safety Code § 1374.8 A health plan may not release to an employer any information showing that a covered employee has received services from a health care provider,...
Reporting Requirements of Parkinson's Disease and Confidentiality of Patient Information – Cal. Health & Safety Code §103865 This is from a larger excerpt about the reporting requirements of Parkinson’s disease.  All information that is reported must remain...
Requirements for Medical Record Information Disclosure by Insurance Companies – Cal. Code Regs. tit. 10 § 2689.11 An insurance company cannot disclose a patient’s medical information to a third party without the consumer’s prior written consent.
Confidentiality of substance abuse records 15 CAR § 3999.217, Authorization for Release of Information
Authorization for disclosure and exceptions to authorization requirements Authorization for Release of Medical Information – Cal. Civ. Code § 56.11 “Authorization; form and contents”   A person or entity that wants medical information and is not authorized to receive it, must...
Cancellation or Modification of Authorization for Release of Medical Records – Cal. Civ. Code §56.15 A patient who signs an authorization for release of medical information can at any time cancel or modify the authorization by giving written notice...
Circumstances for Provider Disclosure of Medical Information – Cal. Civ. Code § 56.10 A provider may disclose medical information under the following circumstances: To providers, health care service plans, contractors or other...
Copy Of Authorization To Patient Or Signatory On Demand – Cal. Civ. Code § 56.12 If a patient or signatory to an authorization releasing patient medical information requests a copy of the authorization, the health care provider,...
Further Disclosure By Recipient Of Medical Information – Cal. Civ. Code § 56.13 An individual or entity that receives medical information based on a patient authorization cannot further disclose the medical information unless...
Management Information System/Decision Support System and Access to Information – Cal. Welf. & Inst. Code § 14459.7 "Management information system/decision support system; progress and status reports; expenditures and staffing; access to information"   The...
Patient Record Requirements for Community Health Centers – Cal. Code Regs. tit. 22 § 80070 A separate, current and complete record must be maintained for each patient/client admitted into a community health center.  The patient’s...
Release of Medical Information to Pharmaceutical Companies – Cal. Civ. Code § 56.102 Disclosure of medical information by pharmaceutical company; authorizations, releases, consents, or waivers; exceptions A pharmaceutical company...
Requirements for Medical Record Information Disclosure by Insurance Companies – Cal. Code Regs. tit. 10 § 2689.11 An insurance company cannot disclose a patient’s medical information to a third party without the consumer’s prior written consent.
Requirements for Provider Disclosure of Medical Information – Cal. Civ. Code § 56.1007 A provider may disclose relevant medical information to a patient’s family member, spouse, or relative, if that person is directly involved in...
Disclosure requirements (what providers can disclose, prohibition on further disclosure) Authorization, Release, Consent, or Waiver Enforceability – Cal. Civ. Code §56.37 No health care provider, health service plan or contractor can require that a patient sign an authorization, consent, release of waiver that would...
Communication of Limitations of Authorization to Recipient of Medical Information – Cal. Civ. Code § 56.14 “Communication of limitations of authorization to recipient of medical information”   An individual or entity that discloses medical...
Release of Limited Information on Specific Patient Unless Written Request by Patient to Prohibit – Cal. Civ. Code § 56.16 If asked about a specific patient, a general acute care hospital can release the patient’s name, address, age, sex, a general description of...
Privacy and Confidentiality Cal. Health & Safety Cod 11845.5.   The identity and records of the identity, diagnosis, prognosis, or treatment of any patient maintained in connection with any...
Confidential information and records; disclosure; consent - Cal. Welf. & Inst. Code § 5328 Records and information relating to the mental health of an individual are confidential and privileged to the patient, and may only be disclosed in...
Destruction of Records-Cal. Civ. Code § 56.101 All health care providers, health service plans, pharmaceutical companies, contractors or other entities must preserve, store, maintain or destroy...
Establishment of the Centralized Consumer Response Unit and Consumer Complaints – Cal. Health & Safety Code §1419 The Department of Health must establish a centralized consumer response unit within the Licensing and Certification Division to respond to consumer...
Violations of confidentiality; penalties Communication of Limitations of Authorization to Recipient of Medical Information – Cal. Civ. Code § 56.14 “Communication of limitations of authorization to recipient of medical information”   An individual or entity that discloses medical...
Reporting of Unlawful or Unauthorized Access or Disclosure of Patient Medical Information – Cal. Health & Safety Code § 1280.15 A licensed hospital, community health clinic, nursing facility, or other health facility must prevent unlawful or unauthorized access or disclosure...
Violations of Patient Confidentiality of Medical Information – Cal. Civ. Code §56.36 Any violation of the provisions of patient confidentiality of medical information that results in economic loss or personal injury to a patient is...
Insurer and Medicaid/Medicare confidentiality requirements, including disclosure laws (Cross reference Medicaid Data, Medicare data, and private insurance data requirements) Confidential Nature of Medical Records For Those Receiving Medical Assistance – Cal. Code Regs. tit. 22 § 51009 All medical records of individuals receiving medical assistance, such as Medicare or Medicaid, must remain confidential and cannot be released...
Confidentiality and disclosure requirements of peer review information (Cross reference to Medical Peer Review) Final proposed action; notice to licentiate; documents to inspect and copy; confidentiality; disclosure – Cal. Bus. & Prof. Code § 805.01 “Final proposed action; notice to licentiate; documents to inspect and copy; confidentiality; disclosure”   The administrator of a...
Medical, Osteopathic, and Podiatry Boards and Disclosure of Information to Public – Cal. Bus. & Prof. Code § 803.1 Medical, osteopathic, and podiatry boards; disclosure of information to public The Medical Board of California can release the following information...
Requirements for Central File of Licensed Practitioners in California – Cal. Bus. & Prof. Code § 800 Central files; creation; contents; complaint forms; confidentiality The California Medical Board must keep a central file of all licensed...
Confidentiality and disclosure requirements of public health reporting information (disease specific information/registry data) (Cross reference to Public Health Reporting) Health facilities; reports; data reporting requirements; hospital discharge abstract data record; exemptions from disclosure requirements; liability – Cal. Health & Safety Code § 128735 Any organization that operates, conducts, owns, or maintains a health care facility, or its officers must report the following:  balance...
Patient HIV Test Results Reporting Requirements for Health Care Providers – Cal. Code Regs. tit. 17 § 2643.5 Within seven (7) days of a patient’s confirmed positive HIV test, the health care provider must report the confirmed positive test to the local...
Reporting Requirements for Cancer Cases and Regional Cancer Registry Requirements – Cal. Code Regs. tit. 17 § 2593 Cancer cases must be reported by all counties to a regional cancer registry, which will then report to the Department of Health Services.  The...
Reporting Requirements of Cancer and Confidentiality of Patient Information – Cal. Health & Safety Code § 103885 This is from a larger except about the reporting requirements of cancer.  All information that is reported must remain confidential. ...
Confidentiality of genetic information Medical and Health Report: Communication of Purpose, Confidentiality and Voluntary Nature – Cal. Health & Safety Code § 102455 The medical and health report required by Health & Safety Code §102450 (pertaining to live birth reporting requirement) must be labeled as...
Disclosure of health information pursuant to court order or subpoena Regulations For an Appointed Special Master and Applications for Court Orders Regarding Disclosure – Cal. Penal Code§ 1524(c) This statute governs applications for a court order compelling disclosure; it requires a special master to be appointed and to accompany the person...
Disclosure of medical information for research purposes (Cross reference Research) Reporting Requirements of Parkinson's Disease and Confidentiality of Patient Information – Cal. Health & Safety Code §103865 This is from a larger excerpt about the reporting requirements of Parkinson’s disease.  All information that is reported must remain...